ClawHub

Mova Compliance Audit

v1.0.1

Submit documents for AI-powered compliance audit against GDPR, PCI-DSS, ISO 27001, or SOC 2 via MOVA HITL. Trigger when the user uploads a document and menti...

0· 169·0 current·0 all-time
bySergii Miasoiedov@mova-compact

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mova-compact/mova-compliance-audit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Mova Compliance Audit" (mova-compact/mova-compliance-audit) from ClawHub.
Skill page: https://clawhub.ai/mova-compact/mova-compliance-audit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install mova-compliance-audit

ClawHub CLI

Package manager switcher

npx clawhub@latest install mova-compliance-audit
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (MOVA compliance audit) align with the instructions: submit document URL/ID, request framework, run rule checks, present findings, and require human sign-off. The SKILL.md explicitly references calling mova_hitl_start_compliance and sending data to api.mova-lab.eu, which is expected for this capability.
Instruction Scope
The runtime instructions stay within the stated purpose: ingest a document (URL/ID), run OCR/connectors/rules engine via MOVA, display findings, and require human decision. There are no instructions to read unrelated local files, system env vars, or to send data to arbitrary third parties beyond the documented MOVA endpoints.
Install Mechanism
The skill is instruction-only (no install spec) which is low risk, but the metadata requires an external OpenClaw plugin (openclaw-mova). That plugin installation is an out-of-band action not packaged in this skill and may pull code/credentials into your environment — the plugin should be reviewed/trusted before installation.
Credentials
The skill itself declares no environment variables or credentials, which is coherent for an instruction-only wrapper, but it will send document URLs and org metadata to api.mova-lab.eu. In practice the required MOVA credentials/config are likely managed by the external plugin (not declared here). Confirm how the plugin stores/uses credentials and ensure you consent to sending potentially sensitive documents to MOVA.
Persistence & Privilege
The skill does not request permanent/always-on presence, does not modify other skills' configs, and requires a human gate for final decisions. No elevated persistence privileges are requested by the skill itself.
Assessment
This skill appears to do what it claims: submit documents to the MOVA platform for a human-in-the-loop compliance audit. Before installing/using it: 1) Verify and review the openclaw-mova plugin (the skill depends on it); confirm the plugin's provenance, code, and permissions. 2) Be aware that documents and organization metadata will be sent to api.mova-lab.eu (EU-hosted) and to MOVA connectors (OCR, rules engine) — do not upload sensitive or regulated data until you confirm retention, residency, and privacy policies. 3) Confirm how MOVA credentials are provided and stored by the plugin (the skill itself does not declare env vars). 4) Test with non-sensitive sample documents first and ensure your compliance officer is prepared for the mandatory human sign-off flow. If you cannot review the plugin or accept external data sharing, do not enable this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk978n3z49ajyaakfkwd79yt5th84290s
169downloads
0stars
4versions
Updated 3w ago
v1.0.1
MIT-0
Sergii Miasoiedov@mova-compact
latest
Download

Contract Skill — A ready-to-use MOVA HITL workflow. Requires the openclaw-mova plugin.

MOVA Compliance Audit

Submit an organization's documents to MOVA for automated regulatory compliance audit — with framework-specific rule matching, a structured findings report, and a mandatory human sign-off gate backed by a tamper-proof audit trail.

What it does

  1. Document ingestion — OCR extraction and structure parsing from uploaded file or URL
  2. Rules engine check — automated evaluation against the selected regulatory framework (GDPR, PCI-DSS, ISO 27001, SOC 2)
  3. Findings report — checklist with pass/fail items, severity codes, and recommended remediation actions
  4. Human gate — compliance officer reviews findings and chooses: approve / approve with conditions / reject / request corrections
  5. Audit receipt — every check, source, and decision is signed, timestamped, and stored in an immutable MOVA audit trail for regulatory inspection

Mandatory escalation rules enforced by policy:

  • Critical findings present → mandatory human review, cannot auto-approve
  • Regulated framework (GDPR, PCI-DSS) → full audit report artifact required
  • Rejection or conditions → remediation items must be recorded with reason

Requirements

Plugin: MOVA OpenClaw plugin must be installed in your OpenClaw workspace.

Data flows:

  • Document URL/ID + org metadata → api.mova-lab.eu (MOVA platform, EU-hosted)
  • Document content → OCR extraction connector (read-only, no data stored)
  • Extracted structure → compliance rules engine (framework-specific, read-only)
  • Audit journal → MOVA R2 storage, cryptographically signed
  • No data sent to third parties beyond the above

Demo

Step 1 — Document submitted for GDPR audit Step 1

Step 2 — AI findings: 3 critical violations, missing DPIA, reject recommended Step 2

Step 3 — Audit receipt + signed decision log Step 3

Quick start

Say "run GDPR compliance audit on this document" and provide a document URL or ID:

document_url: https://example.com/privacy-policy.pdf
framework: gdpr
org_name: Acme Corp

The agent submits the document, shows the AI findings checklist with pass/fail items and severity, then asks for your compliance decision.

Why contract execution matters

  • Framework rules are policy, not prompts — GDPR and PCI-DSS checks trigger mandatory gates that cannot be bypassed by the AI
  • Full checklist traceability — every pass/fail item is linked to a specific rule ID and source citation
  • Immutable audit trail — when a regulator asks "who signed off this audit and what did they see?" — the answer is in the system with an exact timestamp
  • EU AI Act / GDPR Article 22 ready — automated compliance decisions require human oversight, full explainability, and a documented decision chain

What the user receives

OutputDescription
FrameworkSelected regulatory standard (GDPR, PCI-DSS, ISO 27001, SOC 2)
Checklist scorePass / fail count per framework section
Critical findingsCount and list of critical violations
Findings listPer-item: rule ID, description, severity (critical / high / medium / low)
Remediation hintsRecommended corrective actions per finding
Recommended actionAI-suggested compliance decision
Decision optionsapprove / approve_with_conditions / reject / request_corrections
Audit receipt IDPermanent signed record of the compliance decision
Compact journalFull event log: ingest → rules check → human decision

When to trigger

Activate when the user:

  • Uploads a document and mentions compliance, regulation, or audit
  • Says "check GDPR compliance", "run PCI-DSS audit", "validate ISO 27001", "SOC 2 check"
  • Asks to prepare for a regulatory inspection

Before starting, confirm: "Run compliance audit on [document] — framework: [FRAMEWORK]?"

If framework is not specified — ask once: GDPR, PCI-DSS, ISO 27001, or SOC 2. If document URL is missing — ask once for a direct HTTPS link or document ID.

Step 1 — Submit document for audit

Call tool mova_hitl_start_compliance with:

  • document_url: direct HTTPS link to the document
  • document_id: unique identifier (e.g. DOC-2026-001)
  • framework: one of gdpr / pci_dss / iso_27001 / soc2
  • org_name: organization name

Step 2 — Show findings and decision options

If status = "waiting_human" — show the audit findings summary:

Document:   document_id
Framework:  FRAMEWORK
Score:      PASS_COUNT / TOTAL_CHECKS passed
Critical:   CRITICAL_COUNT critical findings
Findings:   [list top findings with rule ID and severity]
Recommended action: ACTION ← RECOMMENDED

Then ask compliance officer to choose:

OptionDescription
approveSign off audit report as compliant
approve_with_conditionsApprove with listed remediation items
rejectDocument fails compliance — block processing
request_correctionsReturn document for corrections

Call tool mova_hitl_decide with:

  • contract_id: from the response above — this is ctr-cau-xxxxxxxx, NOT the document ID
  • option: chosen decision
  • reason: officer reasoning (required for reject and request_corrections)

Step 3 — Show audit receipt

Call tool mova_hitl_audit with contract_id. Call tool mova_hitl_audit_compact with contract_id for the full signed event chain.

Connect your real compliance systems

By default MOVA uses a sandbox mock. To route checks against your live infrastructure, call mova_list_connectors with keyword: "compliance".

Relevant connectors:

Connector IDWhat it covers
connector.ocr.document_extract_v1Document OCR and structure extraction
connector.compliance.rules_engine_v1Framework-specific compliance rule evaluation

Call mova_register_connector with connector_id, endpoint, optional auth_header and auth_value.

Rules

  • NEVER make HTTP requests manually
  • NEVER invent or simulate compliance results — if a tool call fails, show the exact error
  • Use MOVA plugin tools directly — do NOT use exec or shell
  • CONTRACT_ID is ctr-cau-xxxxxxxx from the mova_hitl_start_compliance response — NOT the document ID

Comments

Loading comments...